I did a vCenter upgrade recently and neglected to check what users and groups were configured as vCenter Administrators. The environment was configured with the local vCenter Server Administrators group assigned the Administrator role, a few other domain users with Virtual Machine user access, and a single Domain User with Administrator access.
When upgrading vCenter Server it displays a warning that it is going to remove some users that the VMware SSO Server is not aware of and writes a text file containing the deleted users and groups called deleted_vc_users.txt into the system’s temp directory. Any local server users or groups that have vCenter permissions are deleted.
During the upgrade the pop up warned me, but I was sure that the Domain Admins group had been configured with the Administrator role (it was not – Domain Admins had been added to the local Administrators group -ugh!). The upgrade finished successfully but it had deleted the local Administrators group from the vCenter permissions. Oh no!!!
Again I had been warned, but thought for sure the Domain Admins group had the permissions. If the upgrade is going to delete all the users with the Administrator role it allows you add a group during the upgrade, since there was a single Domain User that did have the role I did not receive this prompt.
I could have tracked down or changed the password for the user that still had Administrator access but since I had some time and there was no production impact I decided to do some poking around.
***DISCLAIMER*** ***WARNING*** ***DANGER***
Make sure you have a good backup of your vCenter database and know how to get yourself out of a jam before messing around in it. You have been warned!
I came across a forum thread about exporting the original VPX_ACCESS table from the vCenter Database and then importing it over the new VPX_ACCESS table, this gave me the idea to just try and manually add the Domain Admins group to the VPX_ACCESS table.
Read the rest of this entry →